Support like and not like operators on path regex to simplify path matching

Author: philipgough

authentication/mtls.go

@@ -29,11 +29,11 @@ func init() {
 }
 
 type mTLSConfig struct {
-	RawCA        []byte   `json:"ca"`
-	CAPath       string   `json:"caPath"`
-	PathPatterns []string `json:"pathPatterns"`
+	RawCA        []byte        `json:"ca"`
+	CAPath       string        `json:"caPath"`
+	Paths        []PathPattern `json:"paths,omitempty"`
 	CAs          []*x509.Certificate
-	pathMatchers []*regexp.Regexp
+	pathMatchers []PathMatcher
 }
 
 type MTLSAuthenticator struct {
@@ -86,13 +86,27 @@ func newMTLSAuthenticator(c map[string]interface{}, tenant string, registrationR
 		config.CAs = cas
 	}
 
-	// Compile path patterns
-	for _, pattern := range config.PathPatterns {
-		matcher, err := regexp.Compile(pattern)
+	// Compile path patterns with operators
+	for _, pathPattern := range config.Paths {
+		operator := pathPattern.Operator
+		if operator == "" {
+			operator = "=~" // default operator
+		}
+
+		// Validate operator
+		if operator != "=~" && operator != "!~" {
+			return nil, fmt.Errorf("invalid mTLS path operator %q, must be '=~' or '!~'", operator)
+		}
+
+		matcher, err := regexp.Compile(pathPattern.Pattern)
 		if err != nil {
-			return nil, fmt.Errorf("failed to compile mTLS path pattern %q: %v", pattern, err)
+			return nil, fmt.Errorf("failed to compile mTLS path pattern %q: %v", pathPattern.Pattern, err)
 		}
-		config.pathMatchers = append(config.pathMatchers, matcher)
+
+		config.pathMatchers = append(config.pathMatchers, PathMatcher{
+			Operator: operator,
+			Regex:    matcher,
+		})
 	}
 
 	return MTLSAuthenticator{
@@ -107,16 +121,24 @@ func (a MTLSAuthenticator) Middleware() Middleware {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Check if mTLS is required for this path
 			if len(a.config.pathMatchers) > 0 {
-				pathMatches := false
+				shouldEnforceMTLS := false
+
 				for _, matcher := range a.config.pathMatchers {
-					if matcher.MatchString(r.URL.Path) {
-						pathMatches = true
+					regexMatches := matcher.Regex.MatchString(r.URL.Path)
+
+					if matcher.Operator == "=~" && regexMatches {
+						// Positive match - enforce mTLS
+						shouldEnforceMTLS = true
+						break
+					} else if matcher.Operator == "!~" && !regexMatches {
+						// Negative match - enforce mTLS (path does NOT match pattern)
+						shouldEnforceMTLS = true
 						break
 					}
 				}
 
-				// If path doesn't match, skip mTLS enforcement
-				if !pathMatches {
+				// If no patterns matched requirements, skip mTLS enforcement
+				if !shouldEnforceMTLS {
 					next.ServeHTTP(w, r)
 					return
 				}

authentication/mtls_test.go

@@ -7,6 +7,7 @@ import (
 	"net/http/httptest"
 	"os"
 	"path/filepath"
+	"regexp"
 	"testing"
 
 	"github.com/go-kit/log"
@@ -466,3 +467,137 @@ func TestMTLSAuthenticator_CAConfiguration(t *testing.T) {
 	})
 }
 
+func TestMTLSPathPatternsWithOperators(t *testing.T) {
+	tests := []struct {
+		name         string
+		paths        []PathPattern
+		requestPath  string
+		expectSkip   bool
+		expectError  bool
+		description  string
+	}{
+		{
+			name:        "positive_match_operator",
+			paths:       []PathPattern{{Operator: "=~", Pattern: "/api/.*/receive"}},
+			requestPath: "/api/metrics/v1/receive",
+			expectSkip:  false,
+			description: "Positive match with =~ operator should enforce mTLS",
+		},
+		{
+			name:        "positive_no_match_operator",
+			paths:       []PathPattern{{Operator: "=~", Pattern: "/api/.*/receive"}},
+			requestPath: "/api/metrics/v1/query",
+			expectSkip:  true,
+			description: "No match with =~ operator should skip mTLS",
+		},
+		{
+			name:        "negative_match_operator",
+			paths:       []PathPattern{{Operator: "!~", Pattern: "^/api/(logs|metrics)/v1/auth-tenant/.*(query|labels|series)"}},
+			requestPath: "/api/metrics/v1/auth-tenant/api/v1/receive",
+			expectSkip:  false,
+			description: "Path not matching negative pattern should enforce mTLS",
+		},
+		{
+			name:        "negative_no_match_operator",
+			paths:       []PathPattern{{Operator: "!~", Pattern: "^/api/(logs|metrics)/v1/auth-tenant/.*(query|labels|series)"}},
+			requestPath: "/api/metrics/v1/auth-tenant/api/v1/query",
+			expectSkip:  true,
+			description: "Path matching negative pattern should skip mTLS",
+		},
+		{
+			name:        "default_operator",
+			paths:       []PathPattern{{Pattern: "/api/.*/receive"}}, // no operator specified
+			requestPath: "/api/metrics/v1/receive",
+			expectSkip:  false,
+			description: "Default operator should be =~",
+		},
+		{
+			name:        "multiple_patterns_one_match",
+			paths:       []PathPattern{
+				{Operator: "=~", Pattern: "/api/.*/receive"},
+				{Operator: "=~", Pattern: "/api/.*/push"},
+			},
+			requestPath: "/api/logs/v1/push",
+			expectSkip:  false,
+			description: "One matching pattern should enforce mTLS",
+		},
+		{
+			name:        "multiple_patterns_none_match",
+			paths:       []PathPattern{
+				{Operator: "=~", Pattern: "/api/.*/receive"},
+				{Operator: "=~", Pattern: "/api/.*/push"},
+			},
+			requestPath: "/api/metrics/v1/query",
+			expectSkip:  true,
+			description: "No matching patterns should skip mTLS",
+		},
+		{
+			name:        "invalid_operator",
+			paths:       []PathPattern{{Operator: "invalid", Pattern: "/api/.*/receive"}},
+			expectError: true,
+			description: "Invalid operator should cause error",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test compilation (similar to newMTLSAuthenticator)
+			var pathMatchers []PathMatcher
+			
+			for _, pathPattern := range tt.paths {
+				operator := pathPattern.Operator
+				if operator == "" {
+					operator = "=~" // default operator
+				}
+				
+				// Validate operator
+				if operator != "=~" && operator != "!~" {
+					if tt.expectError {
+						return // Expected error
+					}
+					t.Errorf("Invalid operator %q should have caused error", operator)
+					return
+				}
+				
+				matcher, err := regexp.Compile(pathPattern.Pattern)
+				if err != nil {
+					if tt.expectError {
+						return // Expected error
+					}
+					t.Fatalf("Failed to compile pattern: %v", err)
+				}
+				
+				pathMatchers = append(pathMatchers, PathMatcher{
+					Operator: operator,
+					Regex:    matcher,
+				})
+			}
+			
+			if tt.expectError {
+				t.Error("Expected error but none occurred")
+				return
+			}
+			
+			// Test the matching logic (from middleware)
+			shouldEnforceMTLS := false
+			
+			for _, matcher := range pathMatchers {
+				regexMatches := matcher.Regex.MatchString(tt.requestPath)
+				
+				if matcher.Operator == "=~" && regexMatches {
+					shouldEnforceMTLS = true
+					break
+				} else if matcher.Operator == "!~" && !regexMatches {
+					shouldEnforceMTLS = true
+					break
+				}
+			}
+			
+			shouldSkip := !shouldEnforceMTLS
+			
+			if shouldSkip != tt.expectSkip {
+				t.Errorf("Expected skip=%v, got skip=%v for path %s", tt.expectSkip, shouldSkip, tt.requestPath)
+			}
+		})
+	}
+}

authentication/oidc.go

@@ -36,22 +36,34 @@ import (
 // OIDCAuthenticatorType represents the oidc authentication provider type.
 const OIDCAuthenticatorType = "oidc"
 
+// PathPattern represents a path pattern with an operator for matching.
+type PathPattern struct {
+	Operator string `json:"operator,omitempty"` // "=~" (default) or "!~"
+	Pattern  string `json:"pattern"`            // regex pattern
+}
+
+// PathMatcher represents a compiled path pattern with operator.
+type PathMatcher struct {
+	Operator string
+	Regex    *regexp.Regexp
+}
+
 func init() {
 	onboardNewProvider(OIDCAuthenticatorType, newOIDCAuthenticator)
 }
 
 // oidcConfig represents the oidc authenticator config.
 type oidcConfig struct {
-	ClientID      string   `json:"clientID"`
-	ClientSecret  string   `json:"clientSecret"`
-	GroupClaim    string   `json:"groupClaim"`
-	IssuerRawCA   []byte   `json:"issuerCA"`
-	IssuerCAPath  string   `json:"issuerCAPath"`
+	ClientID      string        `json:"clientID"`
+	ClientSecret  string        `json:"clientSecret"`
+	GroupClaim    string        `json:"groupClaim"`
+	IssuerRawCA   []byte        `json:"issuerCA"`
+	IssuerCAPath  string        `json:"issuerCAPath"`
 	issuerCA      *x509.Certificate
-	IssuerURL     string   `json:"issuerURL"`
-	RedirectURL   string   `json:"redirectURL"`
-	UsernameClaim string   `json:"usernameClaim"`
-	PathPatterns  []string `json:"pathPatterns"`
+	IssuerURL     string        `json:"issuerURL"`
+	RedirectURL   string        `json:"redirectURL"`
+	UsernameClaim string        `json:"usernameClaim"`
+	Paths         []PathPattern `json:"paths,omitempty"`
 }
 
 type oidcAuthenticator struct {
@@ -65,7 +77,7 @@ type oidcAuthenticator struct {
 	redirectURL  string
 	oauth2Config oauth2.Config
 	handler      http.Handler
-	pathMatchers []*regexp.Regexp
+	pathMatchers []PathMatcher
 }
 
 func newOIDCAuthenticator(c map[string]interface{}, tenant string,
@@ -160,14 +172,28 @@ func newOIDCAuthenticator(c map[string]interface{}, tenant string,
 		pathMatchers = append(pathMatchers, matcher)
 	}
 
-	// Compile path patterns
-	var pathMatchers []*regexp.Regexp
-	for _, pattern := range config.PathPatterns {
-		matcher, err := regexp.Compile(pattern)
+	// Compile path patterns with operators
+	var pathMatchers []PathMatcher
+	for _, pathPattern := range config.Paths {
+		operator := pathPattern.Operator
+		if operator == "" {
+			operator = "=~" // default operator
+		}
+		
+		// Validate operator
+		if operator != "=~" && operator != "!~" {
+			return nil, fmt.Errorf("invalid OIDC path operator %q, must be '=~' or '!~'", operator)
+		}
+		
+		matcher, err := regexp.Compile(pathPattern.Pattern)
 		if err != nil {
-			return nil, fmt.Errorf("failed to compile OIDC path pattern %q: %v", pattern, err)
+			return nil, fmt.Errorf("failed to compile OIDC path pattern %q: %v", pathPattern.Pattern, err)
 		}
-		pathMatchers = append(pathMatchers, matcher)
+		
+		pathMatchers = append(pathMatchers, PathMatcher{
+			Operator: operator,
+			Regex:    matcher,
+		})
 	}
 
 	oidcProvider := &oidcAuthenticator{
@@ -302,16 +328,24 @@ func (a oidcAuthenticator) Middleware() Middleware {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Check if OIDC is required for this path
 			if len(a.pathMatchers) > 0 {
-				pathMatches := false
+				shouldEnforceOIDC := false
+				
 				for _, matcher := range a.pathMatchers {
-					if matcher.MatchString(r.URL.Path) {
-						pathMatches = true
+					regexMatches := matcher.Regex.MatchString(r.URL.Path)
+					
+					if matcher.Operator == "=~" && regexMatches {
+						// Positive match - enforce OIDC
+						shouldEnforceOIDC = true
+						break
+					} else if matcher.Operator == "!~" && !regexMatches {
+						// Negative match - enforce OIDC (path does NOT match pattern)
+						shouldEnforceOIDC = true
 						break
 					}
 				}
 
-				// If path doesn't match, skip OIDC enforcement
-				if !pathMatches {
+				// If no patterns matched requirements, skip OIDC enforcement
+				if !shouldEnforceOIDC {
 					next.ServeHTTP(w, r)
 					return
 				}